Jose María Sarriegi

Critical infrastructure dependencies: A holistic, dynamic and quantitative approach

Abstract The proper functioning of critical infrastructures is crucial to societal well-being. However, critical infrastructures are not isolated, but instead are tightly coupled, creating a complex system of interconnected infrastructures. Dependencies between critical infrastructures can cause a failure to propagate from one critical infrastructure to other critical infrastructures, aggravating and prolonging the societal impact. For this reason, critical infrastructure operators must understand the complexity of critical infrastructures and the effects of critical infrastructure dependencies. However, a major problem is posed by the fact that detailed information about critical infrastructure dependencies is highly sensitive and is usually not publicly available. Moreover, except for a small number of holistic and dynamic research efforts, studies are limited to a few critical infrastructures and generally do not consider time-dependent behavior. This paper analyzes how a failed critical infrastructure that cannot deliver products and services impacts other critical infrastructures, and how a critical infrastructure is affected when another critical infrastructure fails. The approach involves a holistic analysis involving multiple critical infrastructures while incorporating a dynamic perspective based on the time period that a critical infrastructure is non-operational and how the impacts evolve over time. This holistic approach, which draws on the results of a survey of critical infrastructure experts from several countries, is intended to assist critical infrastructure operators in preparing for future crises.

Resilience framework for critical infrastructures: An empirical study in a nuclear plant

The safety and proper functioning of Critical Infrastructures (CIs) are essential for ensuring the welfare of society, which puts the issue of improving their resilience level at the forefront of the field of crisis management. Most of the resilience-building principles defined in the literature do not cover all the dimensions that make up resilience and most of them only focus within the boundaries of the CI, neglecting the role of the external agents that also have an influence on enhancing resilience. Furthermore, most of the principles that are present in the literature are theoretical and difficult to implement in practice.

Blind information security strategy

Abstract How do enterprises relate to and manage information security controls? This paper documents a study of twenty enterprises, six of them in the critical infrastructure (CI) domain. The state of security in the CI enterprises differed little from that in the other enterprises. Information security was seen as a technical problem with technical solutions. However, vulnerabilities in processes and human fallibility create a need for formal and informal controls in addition to technical controls. These three controls are interdependent. They vary widely in implementation time and resource needs, which render the task of building security resources a challenging problem. This paper presents a system dynamics model that illustrates how security controls are interconnected and are interdependent at a high level. The model is intended to aid security managers in CI domains to better understand information security management strategies, especially the complexities involved in managing a socio-technical system where human, organizational and technical factors interact. The model also demonstrates how the knowledge gained from proactive security activities can help managers improve the effectiveness of security controls, risk assessments and incident detection capabilities.

Towards a research framework for critical infrastructure interdependencies

Critical Infrastructure (CI) interdependencies have important consequences for crisis management, particularly when the crises are cross-border. However, research into CI interdependencies is still immature. The nature of large-scale, cross-border crises in these systems of systems is not easily understood. We have identified several aspects that need to be investigated to gain a more complete understanding of the development of crises in these systems. These aspects include the following: there is a need to understand CIs as interdependent elements of a complex system; ever-increasing interdependencies create new complexity; crises in CI are dynamically complex owing to the existence of significant time delays; there is a need for a long-term perspective; knowledge about CIs is fragmented and resides in many different stakeholders that need to be identified and brought together; there is a need for modelling techniques that can unite the fragmented CI knowledge; there is a need to create effective training and communication tools to transfer insights to crisis managers, policy makers and the general public.

Toward viable information security reporting systems

Purpose – This research paper aims to examine how incident‐reporting systems function and particularly how the steady growth of high‐priority incidents and the semi‐exponential growth of low‐priority incidents affect reporting effectiveness. Social pressures that can affect low‐ and high‐priority incident‐reporting rates are also examined.Design/methodology/approach – The authors reviewed the incident‐reporting system literature. As there are few studies of information security reporting systems, they also considered safety‐reporting systems. These have been in use for many years and much is known about them. Safety is used to “fill in the gaps”. The authors then constructed a system dynamics computer simulation model. The model is used to test how an incident‐reporting system reacts under different conditions.Findings – Incident reporters face incentives and disincentives based on effects on through‐put but have limited knowledge of what is important to the organizations security. Even if a successful i...

Enhancing resilience: implementing resilience building policies against major industrial accidents

The proper functioning of critical infrastructures (CIs) is vital for societys welfare. A disruption in one of them may lead to a crisis that affects not only the CI where the triggering event occurs but also the whole society. Therefore, it is fundamental to increase the whole systems resilience level. This paper defines resilience as the capacity of a system to prevent a crisis occurrence, to reduce the consequences from failure, and to recover rapidly and efficiently. Although there is much information about the definition of resilience, literature still lacks to provide a detailed holistic prescription about what activities should be carried out to improve the resilience level of the CIs and the society as a whole. This paper defines twelve policies that help to enhance the resilience level of all the stakeholders involved in crisis management, using information gathered from experts and examining several case studies.

Group model building: a collaborative modelling methodology applied to critical infrastructure protection

Large crises management, affecting CIs needs multidisciplinary knowledge including technical, economical, social, political, legal and managerial knowledge. Being these crises international a huge variety of agents is involved in their response. This situation concludes in a set of stakeholders who only have fragmented knowledge. In the presence of dispersed and incomplete knowledge, and of fragmented and disrupted crisis management, the collaborative approach group model building (GMB), where modelling experts unify fragmented, tacit knowledge from domain experts, is a valuable option. However, GMB has been little used in CIP. We have done so in the context a European project on crisis management of large-scale power cut crises. Particulars in CIP – variety of time horizons, different national perspectives, and challenges to create an international approach, among others – require adaptations in the GMB approach. This paper describes such adaptations and provides insights for better future collaborative modelling.

Environmental Management Evolution Framework Maturity Stages and Causal Loops

Environmental management has become a fundamental concern for organizations, customers, and citizens, yet there are few environmental management metrics that guide toward environmental excellence. This research presents a detailed qualitative model of the evolution of environmental management of a firm through the definition of maturity stages and causal influences. The model provides a technique for assessing maturity stages as well as steps that can assist or negate their ecological advancement. The causal-based classification helps companies to understand the need for nontechnical elements in the process, such as top management commitment. This article also contributes to the literature on integrative multimethod research, as it brings together several approaches to environmental management.

Three complementary approaches for crisis management

Crisis is a wide concept which may include a diverse set of events and behaviour patterns. Thus, crisis management requires complementary approaches that provide a more complete perspective. This paper describes a useful methodology to analyse crises from a multiple perspective approach that contributes to acquire a more deep understanding about crises and their management. The first approach focuses on the peak of the crisis paying attention to how to respond to the crisis–triggering event and to the cascading effects that amplify the crisis impact. The second approach adopts a long–term perspective, identifying the relationship between the policies implemented on the pre–crisis phase and the subsequent impacts on the crisis peak and post–crisis phases. The third approach researches on the learning process from one crisis to the next one.

A support methodology for EAI and BPM projects in SMEs

This paper presents a support methodology that facilitates the analysis of shared information between applications. The contemporary needs of information systems within companies rely on the integration of different applications. As a consequence, integration projects called EAI (enterprise application integration) and BPM (business process management) have arisen. These projects need support methodologies to facilitate the process of information integration. The aforementioned methodology also helps companies to align management applications with their business processes and to define the integration of the companys information systems.